Rootkit - A Malware Or Not?

Rootkit is definitely a completely new step in the software development. It is not malicious on its nature, that it why it cannot be detected by traditional ways, like a virus or a worm, or any other malicious software. Moreover, even if in some way you will detect it, most likely, you will not be able to remove it from the system. You will either to hire a professional, or to reboot the system, or to purchase a special software to remove the rootkit. In order to protect your system from a rootkit, it is recommended to take usual security measures, such as deploying firewalls protection, install and configure the OS professionally, physical access to the networks shall be controlled, physical access to the hosts shall be controlled, download and install the software only from official sources, use an antivirus software and keep it updated, turn on malware detectors, apply authentication procedures for any kind of system access, try not to run many tasks as an administrator, basically, try to run as few processes as an administrator as possible, checksums of critical system files shall be generated as “read-only”. Also, you shall know your system, in :clean” condition” and monitor it constantly for the maintaining of this clean condition. Once a deviation is detected, you shall find out whether it is connected with some internal processes of the system, or it was the result of an outside intrusion. Any deviation can be a signal, that in your system there is a rootkit working, and the results of its work can be devastating. The presence of a rootkit normally means more serious penetration in the depth of the system, and penetration of such kind is very difficult to detect and even more difficult to remove. Once you detected any kind of activity of a rootkit, be ready to fight it off by all means, because your system is vulnerable, and to such extend, that once it may stop belonging to you anymore.
19.07.2016
Rootkit - A Malware Or Not?

What is a rootkit?

Rootkit – the name itself consists of two parts: Root and Kit. This program gives the intruder the “Root”, or a privilege of an administrator in the system. It can influence on many processes, though on itself, it is not malicious. Let us check in more details, what exactly the rootkit is, how it gets into the system, what it causes and how to fight with it.

First of all, as we already mentioned, it is NOT a malicious software. Why then all are so much afraid of it? Mostly, it is because of a backdoor, that it leaves in the system. You definitely remember those Hollywood films about smart guys who were breaking in the most protected systems by using the backdoor. Well, now we can say, that this is not an invention, nothing from the science fiction. This backdoor is the most unpleasant thing in case with a rootkit. This is a point of access to your system. Through it, the hacker can do many bad things, such as data theft, information collection and all other. Practically, it can manage your computer. In some cases, the backdoor is not needed, especially, if the main target of the software is information collection, or something else, that requires time. In such cases, not the backdoor is the main target, but the main thing is that the software stays undetected.

Rootkit allows to get access to the root, of the main user, or to provide constant not detectable presence on computer. In both cases, the software itself is not bad, but bad may be the reasons for which it is used. In some cases, it is used in a legitimate way, for example, upon a court order or in big corporations for special purposes.

The main principle of the rootkit functioning is modification of the software. What kind of modification? There are several kinds, and all of them are connected with security reasons. The first and, probably, the simplest modification is Patching. The thing is that an executable code of any software consists of a series of encoded statements, in bytes. They follow in a specific order. If this order is modified, then the logic of the software changes, too. Hence, the security is compromised.

The next way of software modification is called Easter Eggs. But the thing itself is far not as pleasant as the name. This is when the logic of the software is modified through the backdoor. In most cases, it is left by the programmer, who was the developer of the software. It is used mostly like a kind of a signature, that this program was developed by this programmer.

Spyware modifications – it is when one program modifies the software, and target of this modification is to infect the software. In this case, this is a malicious action.

Is a rootkit an exploit?

No, it is not. It is just a program, that gives access, but it can be easily used with an exploit. And well, it can incorporate a software exploit. A new way to install a rootkit is actually through an exploit. For example, through buffer overflow. Though a rootkit is not an exploit, but this is not only an advantage, but also a danger. As it is not malicious, none firewall is able to protect from it, and usually, an average level of anti malware is not able to detect it either. That is why, if you want to be completely protected, you shall take care to purchase an advanced antivirus and antimalware software.

Is rootkit a virus?

To start with, a virus is a program that is self-propagating in a system. The rootkit doesn’t self-propagate and doesn’t possess any kind of intelligence, it is under a complete control of the person who initiated the attack. That is why it can be used for legitimate control, when a controlling person has access only to a certain kind of data, and must not exceed the legitimate limits. Virus in such circumstances would be out of control. But, it is possible to design a worm, that is spreading via the exploit, and this is an efficient way to keep the virus / worm undetected for a long time. Usually, such method is used to collect information, as the virus cannot be detected for a long time, or, in some cases, it may contain a land-mine timer, so, after some time it will collapse without leaving any traits. The main thing, that the mission is completed and there is no other damage to the system where it was.

But, there is a trend to use software exploits to propagate viruses. This trend poses a huge danger to computers working on Windows OS, as such viruses are extremely difficult to detect. Even more dangerous is, that Windows has many bugs and exploits, and new and new are discovered. But if you were a hacker, with an intention to use those exploits, would you inform everybody about it? Of course, not. Moreover, you would do all possible to keep it in secret, as long as it is possible. That is why, if you know the rootkit technology, you will know better how to protect yourself and your system.

Rootkit – what kind is more dangerous?

Application rootkits – they change the user mode applications, usually it is done to hide themselves from detection

Kernel dome rootkits – they change kernel mode applications, the driver program code, to protect themselves from detection, too. These rootkits are more dangerous, because if there is a virus, that infected the system through this kind of a rootkit, then it is almost impossible to detect it.

Virtual machine rootkit – this rootkit turns itself in a Base operating system, while the system itself starts working as a Guest operating system. This is extremely dangerous, because for now, there is no way to detect, does the OS work as a Base or a Guest.

Though detecting a rootkit is really complicated, due to mentioned reasons, but there are some kinds of special advanced software that are able to do it. Rootkits become a part of the OS, that is why very efficient is a very simple method, like booting a good copy of the OS, like this, your system will be simply reinstalled, without a rootkit. What about usual antivirus programs, they are rather useless both in detection and removal of rootkits. For example, rootkits change files in the way, to not to be detected. And well, they aren’t viruses. But, nowadays exist advanced antivirus kinds of software with improved functionality, and they can even detect rootkits and fight them off.

The best way though is to take a snap of the newly installed OS and the OS that has been in use and is suspected to contain a rootkit. If there are any changes detected, it is a sign, that a rootkit is in your system. There are more advanced softwares that use artificial intelligence to detect any changes in the system. They are efficient in detection of rootkits, too. They use different algorithms to detect rootkits, the most popular among them are signature-based, similar ones are applied for viruses detection, integrity-based, in this case all files, kernel modules and processes are check to verify their binary integrity, taking a memory dump and parsing it for detection of anomalies, signatures or other trends that are due to a rootkit.

Even though there are kinds of software that are able to detect a rootkit, still, far not all of them can remove it. So, knowledge, that your system contains a rootkit, doesn’t help you too much and doesn’t provide much more security.

So, what antivirus / antimalware software provides at least something against rootkits? Is an ordinary software enough to be protected from this threat?
An ordinary software, doesn’t matter how advanced it is, doesn’t provide protection against rootkits, as rootkits aren’t malicious, those aren’t viruses or other malware.

McAfee and Symantec are the ordinary antivirus and antimalware softwares that can detect rootkits. They also provide some protection against installing of rootkits. But in general, required are special tools, to detect these tools and to remove them.

The most famous tool is chkrootkit, and its reputation is well proven. It performs detailed checkups for binary integrity, it checks kernel modules, inspect file modification validations. It works on Linux, too. That is why it is considered one of the most reliable tools of such kind and is a must tool in the portfolio of any administrator.

No rootkits!

And this is of course not just an antivirus or antimalware software, this is a special tool. Such special tools can be divided into host based and network based. The first ones use the active defense system, and they are more dangerous for the rootkits, as they can not only detect, but also prevent the intrusion.

The most famous host based intrusion detection systems are:

  • Blink, or eEye Digital Security
  • Integrity Protection Driver
  • Okena StormWatch
  • Entercept
  • Linux Intrusion Detection System
  • WatchGuard ServerLock

These systems are the greatest threats for rootkits, as they not only detect them, but also prevent them from installing, and from any activities. Basically, whatever the rootkit is up to, it will be detected and stopped.

Network based intrusion detection systems are kind of not so reliable. They deal mostly with big data, and something as small as a rootkit will be noticed rarely, but if with it comes something that takes up much memory, then it will be detected and stopped, together with a rootkit.

0

Comments

Top news

We Are Open! Mission Mont Blanc

Dear visitor of our website, welcome! Finally, the day came when we are able to appeal directly to you and happily announce our new website Raritysoft.com launch, leaving behind a lot of spent time and lines and lines of the software code. On this website, you will find the latest and the most trending information about the software world. We are also glad to help you make the right choice in find...
26.07.2016 by Raritysoft

Mission Mount Elbrus

Friends, we hasten to share the wonderful news with you. While we are working to improve our website functionality, our friends prepared another gift to us and raised our flag on top of Mount Elbrus. It happened on August 23, 2016, at 10.06 in the morning.
14.09.2016 by Raritysoft

My Computer Works On Windows – How Can I Protect It?

Windows is one of the most popular OS nowadays, but it is also the most vulnerable one. Viruses, Trojans, malware, worms, - all those are developed mostly for Windows, and mostly because of its popularity. That is why, if you use a Windows OS, you shall be very careful with security issues. You shall never trust unverified sources for downloads, you shall never open and moreover click on the links...
17.07.2016 by heleneti

10 Most Damaging Viruses And How To Handle Them

Computers are so integrated in our lives, that we cannot imagine our everyday activities without a computer and the internet. It is a pity that we often don’t know about threats, that come from the web, and we don’t suspect about the damage, that those threats can cause not only to our system, which is, of course, unpleasant, but also to us, our friends and family members. This overview will g...
19.07.2016 by heleneti

Virus vs Antivirus – What Is The Winner?

There are different types of viruses nowadays: some of them periodically produce different sounds, some turn a screen upside down (a screen, not a monitor), and some delete all data from computer memory, so a computer cannot be turned on. There is always antipoison to each poison. For this reason, each user installs reliable antivirus software. Many experts are sure that users are not supposed to...
17.07.2016 by heleneti

Is Windows 10 Safe? Security And Compatibility Issues

All in all, we can make a conclusion, that the stories about the awful insecurity of Windows 10 are not the truth, in general. Yes, right, there are some issues, which make concern most of the users, but, first of all, maybe because Microsoft Corporation has never applied tools for tracking user activities before, while those practices are very common for Google and Android. Moreover, most of the ...
17.07.2016 by heleneti